ASK THE EXPERT : World IPv6 Day: What Should You Do?

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about dual IPv6 and IPv6 stacked environment with Cisco subject matter expert Phil Remaker who can also explain typical failure modes in IPv6 transport and DNS that might be experienced. Phil will introduce some websites you can use to test your IPv6 connectivity in advance of World IPv6 Day and will be able to share with you about IPv6 connectivity options for websites and end users. is a distinguished support engineer at Cisco and is recognized for his wide range of knowledge and skills in Cisco products, networking protocols, and systems. He currently works as a technical leader in the Cisco Services Technical Services organization focusing on vexing problems around security, software release, and product manageability. You can watch the webcast here. You can also read all the questions that were asked and responded during the live webcast here.

Remember to use the rating system to let Phil know if you have received an adequate response.

Phil might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the discussion forum shortly after the event. This event lasts through May 27, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

'Implementing VoIP for IPv6' is a reference for using IPv6 features in Cisco Voice Gateway products.

If your 3 devices are just acting as IPv6 packet routers not as VoIP endpoints, code older than 12.4(22) should be OK.

However, what worries me is that you report the version as 12.4(13r), which is not an IOS version but a ROM Monitor version. Please issue the "show version" command and look for the IOS Software version and not the ROM monitor version.

Thanks to all who attended and asked questions. I will do my best to answer them based on what I understand the question to mean. If I am not clear, please rephrase the question or ask another question.

Question:Is there a way to test IPv6 tunnels if your service provider is not providing IPv6?

Correction: 5/20/2011 - several folks privately pointed out to that the mentioned article above refers only to passing IP protocol 41 through the firewall from a tunnel endpoint inside the firewall. As of this writing, the ASA does not have the capability to terminate a 6in4 tunnel.

It depends a lot on your environment. If the devices are mostly under your administrative control and still have to contact a lot of IPv4 devices, dual stack still makes the most sense.

If you are facing serious IPv4 address space constraints or the devices will primarily speak to other IPv6 or you want to be able to take advantage of the simplicities of an all IPv6 environment the, NAT64 may be the better choice.

Be aware that at this point, the Cisco NAT64 implementations are 1:1 (stateless) meaning that each IPv6 address reaching out an IPv4 device needs to be matched to a dedicated IPv4 address. Presumably, a 1:many (stateful) NAT64 implementation will eventually become available.

In the end, the decision rests on your goals in your own network. Ivan Pepelnjak makes a good case for NAT64 in a recent blog at http://blog.ioshints.info/2011/05/nat64-its-all-about-legacy-content.html, but most enterprises I see are opting for dual stack since they have well established IPv4 processes. Even so, I know one large enterprise that prefers all IPv6 internally for the ease of subnet migration afforded by IPv6 as well as the ability to do away with stateful DHCP and IPv4 subnet management issues. For them, NAT64/DNS64 is the best path to access legacy IPv4 content.

Question:

Will 6to4 clients be impacted if we don't route IPv6 with our Inet carrier?

The beauty (horror?) of 6to4 is that it can run completely on an all-IPv4 carrier infrastructure. In fact, if you have a Windows Vista (o later) end host that gets assigned a global (non-RFC1918) address, it will automatically build a 6to4 tunnel to the nearest 6to4 relay using the well known anycast address of 192.0.2.42. Similarly, some home gateways will automatically form 6to4 tunnels without end-user intervention. So, even if your carrier does not run IPv6, any device that can reach the anycast address of 192.0.2.42 and pass IP protocol 41 can form a 6to4 tunnel. In summary, 6to4 clients do not need IPv6 on the carrier as long as they can reach a 6to4 relay over IPv4

Question:Do I need to change configuration in my router to route to ipv6 address host?

If you want to run IPv6 natively on the LAN, you will need to configure IPv6 on your router. However, it is possible for IPv4 speaking hosts to directly terminate IPv6 through IPv4 so that the router does not NEED to participate. However, for the most seamless experience to the end user, IPv6 should be enabled on the router interfaces.

Question:

Roughly what percentage of public networks do not yet support ipv4?? Conversely, does common modern datacenter equipment already support ipv6 and come configured to use it by default?

As for the second part of the question, it depends on your definition of "Modern Datacenter Equipment." My estimation is "not enough!!" Clearly, all layer 2 switches "support" IPv6, but layer-crossing features like ARP and DHCP spoofing defense take different form when using IPv6 (collectively, the feature set is called "First Hop Security"). Industry wide, vendors are striving to get more IPv6 features in more places as fast as possible. Which features do you most need in your modern datacenter equipment?

Thanks to all who attended and asked questions. I will do my best to answer them based on what I understand the question to mean. If I am not clear, please rephrase the question or ask another question.

Question:Is there a way to test IPv6 tunnels if your service provider is not providing IPv6?

Correction: 5/20/2011 - several folks privately pointed out to that the mentioned article above refers only to passing IP protocol 41 through the firewall from a tunnel endpoint inside the firewall. As of this writing, the ASA does not have the capability to terminate a 6in4 tunnel.

It depends a lot on your environment. If the devices are mostly under your administrative control and still have to contact a lot of IPv4 devices, dual stack still makes the most sense.

If you are facing serious IPv4 address space constraints or the devices will primarily speak to other IPv6 or you want to be able to take advantage of the simplicities of an all IPv6 environment the, NAT64 may be the better choice.

Be aware that at this point, the Cisco NAT64 implementations are 1:1 (stateless) meaning that each IPv6 address reaching out an IPv4 device needs to be matched to a dedicated IPv4 address. Presumably, a 1:many (stateful) NAT64 implementation will eventually become available.

In the end, the decision rests on your goals in your own network. Ivan Pepelnjak makes a good case for NAT64 in a recent blog at http://blog.ioshints.info/2011/05/nat64-its-all-about-legacy-content.html, but most enterprises I see are opting for dual stack since they have well established IPv4 processes. Even so, I know one large enterprise that prefers all IPv6 internally for the ease of subnet migration afforded by IPv6 as well as the ability to do away with stateful DHCP and IPv4 subnet management issues. For them, NAT64/DNS64 is the best path to access legacy IPv4 content.

Question:

Will 6to4 clients be impacted if we don't route IPv6 with our Inet carrier?

The beauty (horror?) of 6to4 is that it can run completely on an all-IPv4 carrier infrastructure. In fact, if you have a Windows Vista (o later) end host that gets assigned a global (non-RFC1918) address, it will automatically build a 6to4 tunnel to the nearest 6to4 relay using the well known anycast address of 192.0.2.42. Similarly, some home gateways will automatically form 6to4 tunnels without end-user intervention. So, even if your carrier does not run IPv6, any device that can reach the anycast address of 192.0.2.42 and pass IP protocol 41 can form a 6to4 tunnel. In summary, 6to4 clients do not need IPv6 on the carrier as long as they can reach a 6to4 relay over IPv4

Question:Do I need to change configuration in my router to route to ipv6 address host?

If you want to run IPv6 natively on the LAN, you will need to configure IPv6 on your router. However, it is possible for IPv4 speaking hosts to directly terminate IPv6 through IPv4 so that the router does not NEED to participate. However, for the most seamless experience to the end user, IPv6 should be enabled on the router interfaces.

Question:

Roughly what percentage of public networks do not yet support ipv4?? Conversely, does common modern datacenter equipment already support ipv6 and come configured to use it by default?

As for the second part of the question, it depends on your definition of "Modern Datacenter Equipment." My estimation is "not enough!!" Clearly, all layer 2 switches "support" IPv6, but layer-crossing features like ARP and DHCP spoofing defense take different form when using IPv6 (collectively, the feature set is called "First Hop Security"). Industry wide, vendors are striving to get more IPv6 features in more places as fast as possible. Which features do you most need in your modern datacenter equipment?

I have a confusion to request for you which concerns about VoIP. In fact we built up a small IPv6 network in our school labrary, which made up with three routers with the routing protocol RIPv6, now the situation is that each computer can ping successfully to other two ones. Then I should achieve VoIP under this environment, I set up one server that has installed asterisk who is version 1.8 under the subnet 2002:0:0:100:0/64, put two other clients under the subnet 2002:0:0:200:0/64, if I want to etablish a call between these two sides, whether i could use the document 'Implementing VoIP for IPv6' as the reference? I have checked that the IOS necessary is 12.4(22), but ours is 12.4(13r), should I have to upgrade it?

'Implementing VoIP for IPv6' is a reference for using IPv6 features in Cisco Voice Gateway products.

If your 3 devices are just acting as IPv6 packet routers not as VoIP endpoints, code older than 12.4(22) should be OK.

However, what worries me is that you report the version as 12.4(13r), which is not an IOS version but a ROM Monitor version. Please issue the "show version" command and look for the IOS Software version and not the ROM monitor version.

We all thought it was difficult to deploy IPV6 on the core, but that is the easy part. What about IPv6 deployment at the access layer?

I'm not sure I understand this question, since it depends on what aspects of the access layer. Assuming you mean getting endpoints to be IPv6 capable, just have your routers provide ICMP router advertisement information and make sure your devices have IPv6 capable stacks.

In some ways, yes. The depth of the address space makes it possible for devices to pick their own addresses without end-user intervention. Many hosts can be placed on a flat subnet without worrying about exhausting the address space. Managing subnet blocks on a DHCP server becomes a thing of the past. Address management is remarkably easier.

Subnet re-addressing becomes easier, too. Graceful subnet renumbering is possible by the protocol design and the abundance of address space, permitting two different subnets to exist on one subnet during the address deprecation process.

On the downside, not all network management tools (yet) support IPv6, and some management tools have a concept of "exactly one address per device." The ability for an IPv6 device to have many addresses provides some interesting capabilities around privacy and policy enforcement, but management processes that fail to recognize such a capability may cause the network to seem less manageable.

How to enter the IPv4 in network address of PC?

How to enter the IPv6 in network address of PC?

This depends on the operating system. In most modern operating systems, some form of a Network Control Panel exists in the GUI. In most IPv6 cases, the device will automatically pick its own address.

NAT timeouts will not disrupt long standing but traffic idle connections (and NAT keepalives are no longer needed).

Features like Microsoft DirectAccess can provide direct point to point IPv6 connection between devices without having to manage VPN concentrators or Network Address Translation device configurations.

Privacy addressing. Devices can rotate their IPv6 address, making them harder to track in web server logs

Potential for improved efficiency and performance of peer-to-peer communication. Currently, BitTorrent and WOW take advantage of this, but one can envision future inter- and intra- enterprise peer to peer apps may follow. Insert imagination here.

The biggest win for now still remains the sheer size of the address space, and the ability to bypass the use of NAT devices. The ability to directly reach devices without application layer gateways or other "packet rewriters" opens the door for many future applications as IPv6 adoption increases.

Hey, I didn't like any of these answers!

Ask another question below, or post some clarifying information and I will do my best to develop a more satisfying answer.